An increasing number of Visma products are developed and operated according to the Visma Cloud Delivery Model (VCDM). VCDM is a continuously improving framework Visma uses to ensure that we deliver cloud software that is secure, reliable, performant, and responsive to customer needs.
Everything from how we are organised, to how we work and the technology we use, is aligned with these goals in mind.
We believe this way of working gives us and our customers a competitive advantage. In this article, we will go into a bit more detail about how we work and what it means for you as a customer.
How VCDM takes into account the organisation, work methods, and customer needs
VCDM software is designed, developed, delivered and operated by cross-functional teams that take full ownership, not only of the code and infrastructure involved, but more importantly, the quality of the service they deliver, including the entire user experience.
VCDM teams are continuously monitoring the software they develop and use this information to improve the software further.
Automation and agility
Testing and delivering new versions of the software is highly automated, which means that we can react to feedback, market needs and other events very quickly.
This capability allows us to more quickly find the best solutions, and to fix any potential problems before they impact a user. Most VCDM teams will make software improvements available to their users many times a week, or even many times a day.
So far, we have released improvements to VCDM software 9,834 times in 2020.
The software we make, the infrastructure we use, and the internal processes we follow are all designed to deliver at least 99.8% availability. This means that for any 30 day period, the software should not be unavailable for you as a user for more than 86 minutes.
So far, our average availability for VCDM software in 2020 is 99.97%, or 13 minutes of unavailability per month. It’s important to note that we count all unavailability, including vendor failures and maintenance windows.
If something does go wrong with the service we deliver to customers, we like to be prepared. That’s why we perform robustness testing and spend time analysing what can go wrong and how the software will behave in those situations.
Then, we plan how we need to respond in those scenarios so that we are able to recover as quickly as possible within our recovery objectives. All VCDM software has a business continuity plan that is regularly updated, reviewed, and tested.
These plans typically include backup and recovery of customer data, failure of critical software dependencies and hardware or cloud platform failures.
Part of the business continuity plan for a Visma product.
If the software doesn’t work as expected and it has a significant impact on our customers, we handle that as an operational incident. Our target is to resolve incidents as quickly as possible, and in less than 90 minutes.
During the process, we keep our customers informed on status.visma.com. When everything is back to normal, we take the time to analyze what happened, learn, and make improvements to reduce the chance and/or impact of something similar happening again.
So far, we have handled 57 incidents with customer impact in 2020, with a mean time to repair of 136 minutes.
All VCDM teams set and maintain internal performance targets to ensure that the software you use performs according to your needs. This includes things like response times, throughput, and capacity.
Capacity planning for a Visma product: Part of a larger performance management plan that details our targets and expectations for the software.
We regularly review our performance testing and performance monitoring efforts to make sure that we are able to meet these targets. If we see big performance deviations, we treat it as an operational incident which means we bring all hands on deck to resolve the problem as quickly as possible.
To make sure our software is secure, we educate both our technical and non-technical staff through mandatory training and regular internal communications. Developers regularly use application security training software to become even better at avoiding, identifying, and mitigating common security vulnerabilities.
Our development teams are continuously sharpening their application security skills using Secure Code Warrior.
All VCDM teams have a Security Engineer who is responsible for making sure our security program is implemented and for distributing security knowledge to the rest of the team.
The security of VCDM software is regularly peer-reviewed (at least yearly). These assessments include things such as: analysing and minimising the attack surface, strategies to protect against common vulnerabilities, and securely handling keys and credentials. It also includes encryption at rest and in traffic, network security, identifying and mitigating privacy risks and more.
Part of an attack surface analysis for a Visma product.
We also use security tools to regularly and automatically scan the code we write, any third party components we use, and our production environments, for potential security vulnerabilities.
An internal security team also regularly performs manual penetration testing (at least yearly). All of the above is mandatory for all VCDM software.
Black Duck Binary Analysis is reporting a new vulnerability in a third party component. The component has since been updated.
Additionally, for some of our software, we give external security researchers permission to attempt to find vulnerabilities in our software. If they find potential vulnerabilities, we award them recognition and a monetary reward.
Since January 2019, Visma has paid out more than $200,000 in bug bounties to make our software more secure.
Ioana Piroska speaks at Visma SecCon 2020 about Visma’s Bug Bounty program.
Whenever a potential security vulnerability is identified, we have processes in place to make sure they are investigated and mitigated quickly.
To ensure the security and privacy of customer data, all VCDM software is developed and operated following the least privilege principle.
This means that we don’t access customer data unless it is absolutely necessary and that any necessary access is limited both in time (minutes or hours) and in scope. The time of access is logged together with the reason why it was accessed.
Our way of working, VCDM, including the processes we use to design, develop, deliver and operate VCDM software is ISO 27001-certified.
This means that an external auditor has verified that we have security controls embedded in our processes that help make our software more secure. Individual Visma products may also have additional certifications.
In our experience, transparency builds trust. We often talk publicly about the Visma way of working at meetups, conferences and other events. We share knowledge and experiences with other companies.
We will also sit down with potential and existing customers to not only explain how we work, but also show internal data and documentation so that you can be confident in the service we provide.
Interested in reading more about technology on our blog?